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IN THE CLAIMS OCT ' ^ ^ft 

1 . (Currently Amended) A method for determininp and enforcing service policies over a 
network, said method implemented in a service policy director n otwnrV device, comprising the 
steps of: 

a. receiving authentication messages sent from a user to an authentication server fe ra 
uaor at said network dovico ; 

b. determining from said authentication ingssasgs user i<Wifi CTC and service attributes 
associated with said user; 

c. creating a user service policy entry in a user policy table for said identified user 
containing said service attributes; 

d. consulting said user policy table to determine how to manage said user traffic 
subsequent to said user authentication messages; and 

e. managing subsequent user traffic based on said consulting step. 

2. (Cancelled) 

3. (Currently Amended) A method for enforcing service policies over a network, as per claim 1, 
wherein said user policy table is located within said service nolicv direr.tnr network 

4. (CurrentIy Amended) A method for enforcing service policies over a network, as per claim 1 , 
wherein said service policy director n et work dovico offers internal network services comprising 
at least one of bandwidth management, access control or network usage statistics. 
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5. (Original) A method for enforcing service policies over a network, as per claim 1, wherein 
said authentication messages are using any of the Radius protocol or the LDAP protocol. 

6. (Currently Amended) A method for enforcing service policies over a network, as per claim 1, 
wherein said service policy direct aL notwork dovioo functions in any one of, or a combination of, 
the following modes: ' 

a. transparent mode, wherein the authentication messages in a provider network pass 
through the service policy director network dovi ee without any modification to the IP addresses 
and data of said authentication messages; 

b. proxy mode, wherein the authentication messages in a provider network pass through 
the service policy director network dovioo , said network device modifies IP addresses of said 
authentication messages without any modification to the data of said audientication messages; 
and 

c. passive mode, wherein the authentication messages in a provider network are copied to 
the service policy director n e twork Aavim 

7. (Currently Amended) A method for managing network user traffic received by a service 
policy director n e twork dovioo , said network user traffic including at least a request for a server 
or service, said method comprising steps of: 

a. determining b y the service policy director a user policy table haaed on an at least an 
initial authentication message sent fro m a user to an authentication ser^ r ■ 

'' ■■ II Ml I 1 

^identifying a user originating said network user traffic; 


842.M815_l.DOC 


PAGE 6118 • RCVD AT 10/10/2007 3:19:36 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-3/14 ' DNISOTOO 1 CSID:21 29408986 * DURATION (mm-ss):04-26 


OfcT-1 0-2007 WED 02:21 PM KATTEN HUCHIN ROSENMAN FAX NO. 2129408986 P. 07 


ch. consulting *-the_user policy table to locate a user service policy corresponding to said 
user; and 

de. managing said network user traffic based on said consulting step by any one or more 
of the following: 

i. forwarding network user traffic to a requested server, 

ii. redirecting network user traffic to a server providing a same service as a 
requested server, 

iii. sending network user traffic through filtering software before forwarding user 
traffic to a requested server, 

iv. denying transmission of user traffic on the basis of access privileges, 

v. counting or logging user traffic in order to provide network usage information, 

or 

vi. denying or delaying transmission of network user traffic on the basis of service 
level parameters. 

8. (Cancelled) 

9. (Currently Amended) A method for managing network user traffic received by a service 
aolicy director artwork dovioo , as per claim 8, wherein authentication messages are using any of 
the Radius protocol or the LDAP protocol. 

10. (Cun-ently Amended) A method for managing network user traffic received by a service 
pol icy director artwork dovico , as per claim 7, wherein said network device offers internal 
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network services comprising at least one of bandwidth management, access control or network 
usage statistics. 

1 1 . (CuiTently Amended) A m ethod for man aging network user traffic received by a service 
policy director network d e vice , as per claim 7, wherein said network device functions in any one 
of the following modes: 

a. transparent mode, wherein the authentication messages in a provider network pass 
through the service polic y director a otwork dovioo - w ithftut any modification to the IP addresses 
and data of said authentication messages; 

b. proxy mode, wherein the authentication messages in a provider network pass through 
the service policy director notwork dovin^ said network device modifies IP addresses of said 
authentication messages without any modification to the data of said authentication messages; 
and 

c. passive mode, wherein the authentication messages in a provider network are copied to 
the service policy director flejwerk 

12. (Currently Amended) A method for enforcing service policies over a network, said method 
implemented in a service policy director n e twork d ri vf™ comprising steps of: 

a. receiving authentication messages for a user at said service policy director H etwagk 

uuv tvC, 

b. determining user identifiers and service attributes associated with said use r from at 
least a first authentication messape-. 

c. creating a user service policy entry in a user policy table for said identified user based 
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on said service attributes; 

d. consulting said user policy table to determine how to manage user traffic subsequent to 
said user authentication message; and 

e. managing said subsequent user traffic including any one or more of the following: 

i. forwarding user traffic to requested server, 

ii. redirecting user traffic to a server providing same service as requested server, 

iii. sending user traffic through filtering software before forwarding user traffic to 
requested server, 

iv. denying transmission of user traffic on the basis of access privileges, 

v. counting or logging user traffic in order to provide network usage information 
or 

vi. denying or delaying transmission of user traffic on the basis of service level 
parameters. 


13. (Original) A method for enforcing service policies over a network, as per claim 12, wherein 
authentication messages are using any of the Radius protocol or the LDAP protocol. 

14. (Currently Amended) A method for enforcing service policies over a network, as per claim 
12, wherein said service po licy director n otwork dovio Q offers internal network services 
comprising at least one of bandwidth management, access control or network usage statistics. 

15. (Currently Amended) A method for enforcing service policies over a network, as per claim 
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12, wherein said service poli cy director n otwork dovico functions in any one of the following 
modes: 

a. transparent mode, wherein the authentication messages in a provider network pass 
through the service policy director no t work: dovis e without any modification to the IP addresses 
and data of said authentication messages; 

b. proxy mode, wherein the authentication messages in a provider network pass through 
the service policy director n e twork dovioo , said network device modifies IP addresses of said 
authentication messages without any modification to the data of said authentication messages; 
and 

c. passive mode, wherein the authentication messages in a provider network are copied to 
&e service policy director n o t work device 

16. (Currently Amended) A system for enforcing service policies over a network comprising the 
following; 

a user request-issuing device; 

a service provider network over which user authentication messages and user traffic 
originated by said user request-issuing device is transmitted; 

an authentication server to which said user request-issuing device attempts to connect and 
by which said user request-issuing device is authenticated and registered; and 

a network device independent of said aut h entication server including a service policy 
director independent of arid authentication po i vm, enforcing a service policy for said user 
request-issuing device, said network device receiving the authentication messages and creating 
the service policy there from. 

«42468lS I. DOC _ 7 


PAGE 10/18 * RCVD AT 10110/2007 3:19:36 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-3/14 * DNIS:2738300 * CSID:2129408986 ' DURATION (mm-ss):04-26 


OCT-10-2007 WED 02:22 PM KATTEN MUCHIN ROSENMAN FAX NO. 2129408986 


P. 11 


wherein said user request-issuing device may-beis included in at least a network access 
server of a service provider network or in a user network. 

17. (Original) A system for enforcing service policies over a network, as per claim 16, wherein 
said service policy director includes a user policy table. 

18. (Original) A system for enforcing service policies over a network, as per claim 17, wherein 
said user policy table includes user identifier information and service attribute information. 

19. (Original) A system for enforcing service policies over a network, as per claim 18, wherein 
said user identifier information includes at least an Internet/intranet address. 

20. (Original) A system for enforcing service policies over a network, as per claim 19, wherein 
said user identification information fiirther includes any of usemame, session identification or 
Internet cookie, 

21. (Original) A system for enforcing service policies over a network, as per claim 18, wherein 
said attribute information includes any one or more of the following: access privileges 
parameters, traffic logging mechanisms and user activity statistics entitlement parameters, 
security services entitlement parameters, or service quality level parameters. 

22. (Original) A system for enforcing service policies oyer a network, a$ per claim 21, wherein 
said service quality level parameters include any one or more of the following: 
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a bandwidth limit, a bandwidth guarantee, or a bandwidth priority. 

23. (Currently Amended) A system for enforcing service policies over a network, as per ek±m 
3 £ claim wherein said service attributes define services offered by said service policy 
director, said services including any one or more of the following; classification of network user 
traffic, modification of network user traffic, forwarding of network user traffic, or logging of 
single network user traffic statistics. 

24. (Original) A system for enforcing service policies over a network, as per claim 16, wherein 
said network device offers internal network services including at least one of bandwidth 
management, access control or network usage statistics, 

25. (Original) A system for enforcing service policies over a network, as per claim 18, wherein 
a plurality of said service policy directors reside on a network. 

26. (Original) A system for enforcing service policies over a network, as per claim 16, wherein 
said network device including said service policy director functioning in a transparent mode, 
wherein the authentication messages in a provider network pass through the network device 
without any modification to the IP addresses and data of said authentication messages. 

27. (Original) A system for enforcing service policies over a network, as per claim 26, wherein 
said service policy director functioning in said transparent mode receives said user authentication 
request messages addressed to said authentication server and forwards said user authentication 
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request messages to said authentication server. 

28. (Original) A system for enforcing service policies over a network, as per claim 16, wherein 
said network device including said service policy director functioning in a proxy mode, wherein 
the authentication messages in a provider network pass through the network device, said network 
device modifies IP addresses of said authentication messages without any modification to the 
data of said authentication messages. 

29. (Original) A system for enforcing service policies over a network, as per claim 28, wherein 
said service policy director functioning in said proxy mode receives said user authentication 
request messages addressed to said service policy director and forwards it to said authentication 
server. 

30. (Original) A system for enforcing service policies over a network, as per claim 16, wherein 
said network device comprising said service policy director functioning in a passive mode, 
wherein the authentication messages in a provider network are copied to the network device. 

31 . (Currently Amended) A system for enforcing service policies over a network receiving user 
access request traffic, said system comprising a service policy director in at least onem v^ofthe 
following configurations: 

a user request-issuing device operatively connected to_a service policy director, said 
service policy director connected to an authentication server, and said authentication server being 
operatively connected to said user request-issuing device, wherein said service policy director 
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receives fraid-a_user authentication request messages addressed to said authentication server* aad 
forwards said user authentication request messages to said authentication serve r, wherein said 
service policy director creates a service policy from the received authentication request message : 
a user request-issuing device operatively connected a service policy director, said service 
policy director being operatively connected to said user request-issuing device, and an 
authentication server being operatively connected to said service policy director, wherein said 
service policy director, receives said-auser authentication request messages and queries said 
authentication server, and wherein sai d service policy director creates a service policy from the 
received authentication request message : and 

a user request-issuing device operatively connected to a service policy director, said 
service policy director receiving copied network user traffic, said copied network user traffic 
copied by a network device, and said user-request issuing device being operatively connected to 
said service policy director, the service policy director receives a copy of *a»4-auser 
authentication request messages addressed to and destined for said authentication serve r, wherein 
said service policy director creates a ser vice policy from the received authentication req uest 
message. 
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